How to force changed permissions on moved files

Posted on 2010-04-05
Medium Priority
Last Modified: 2013-12-04
We would like to allow users to move files from one folder to another (within the same directory), and have the file pick up the permissions from the destination folder instead of retaining permissions from the original folder.  How do we set up the folder properties to have this happen?
Question by:Links_Technology
  • 4
  • 4

Expert Comment

ID: 29833526
This is definitely doable and a common file share scenario. Fear not!  :)

Assuming two folders within the same parent directory (e.g. Shared\Folder X and Shared\Folder Y), it sounds from your question like you need files moved from the source folder (Folder X) to inherit the permissions from the destination (Folder Y)?

If that's the case, here's what you're looking for ...

1. Disable inheritance if the permissions of Folder Y need to differ from its parent folder (Shared, in this case).
a. Right-click Folder Y and click Properties
b. Click the Security tab
c. Click the Advanced button (bottom-right corner)
d. On the Permissions tab, deselect/uncheck "Allow inheritable permissions from the parent to propagate to this object . . ."
e. Click Apply
f. Select Copy or Remove, depending on your preference. If you want to start from a blank slate, select Remove. If you want to retain the permissions from the parent folder as a starting point, select Copy.
2. Add/Remove permission entries to suit your needs, ensuring that an appropriate scope (Apply To/Apply onto:) value is selected for each. The default value ("This folder, subfolders and files") is appropriate in most cases.
Example: Adding "CONTOSO\Domain Users" with "Read Permissions" and Apply onto: "This folder, subfolders and files" gives all users within the CONTOSO domain Read permissions over Folder Y, its contents, and the contents of its subfolders.
3. If Folder Y already contains files and subfolders, and you also want their permissions to match, be sure to check/select the "Replace permission entries . . ." option.

4. Click OK to save your changes. Move a file or folder from Folder X to Folder Y and ensure that its permissions are modified accordingly once moved. (The file or folder's ACL should match that of Folder Y.)

For more information, take a look at:

Hope this helps!


Author Comment

ID: 29837106
Here's a better description of what is going on:

Shared Folder
  -> Subfolder of user A
  -> Subfolder of user B
  -> Subfolder of boss

Users A & B each have full access to their own folders, and write access to the boss' subfolder (but no read, execute, etc).

The users create invoices that need to be approved by the boss, who then sends them on up the chain for processing.  User A has a PDF in his folder.  He does a right-click drag to the boss' folder and COPIES it there, and the newly created copy has the exact rights we need, the boss has full access to the file.  User B has a PDF in his folder and drags it over to the boss' folder, moving the file instead of copying.  The rights on that file stay the same, the boss has no access to it.  This is the part that we are looking to correct; on a move the permissions are not changing.

Hopefully this makes more sense now.


LVL 20

Accepted Solution

brwwiggins earned 1000 total points
ID: 29837561
By default when you move a file within the same NTFS volume it just updates the reference pointers and retains the permissions. Read the second section of this document


Basically, you can make a registry change to affect this behavior however the user requires change permissions.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!


Expert Comment

ID: 29843423
Agree with brwwiggins here, though you have a full range of options/workarounds:

1) Go the registry route, per KB310316 (and brwwiggins' suggestion):
  • Set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MoveSecurityAttributes(DWORD)=0 on the client workstations for Users, A, B, etc. (or push these changes via Group Policy if you want to easily target a particular department/workgroup).
2) Move the "Boss" subfolder to a different NTFS volume than User A or User B. (That way file moves pick up inheritance from the "Boss" parent folder, per NTFS rules, instead of retaining their original permissions.)

3) Upgrade the client machines for User A, User B, etc. to Vista or Windows 7 (these OSes now force inheritance on a Move action within Explorer). Reference http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/99347e70-9eb2-44dd-8c57-c1ff6fd51e93 or http://www.windowsitpro.com/article/permissions/ntfs-inheritance-rule-change.aspx. I am also able to duplicate this scenario favorably using Win7.

4) Create a Scheduled Task to reapply inheritance against the Boss folder. Could be as easy as icacls volume:\Boss /reset /t from the CLI, or as fancy as WMI, PowerShell, VBscript.

Personally, I think #2 requires the least amount of administrative effort (assuming you have a second volume or file server capable of hosting the Boss folder). Good luck!  :)

Author Comment

ID: 29953957

We tried the registry change that was shown in the second half of that Microsoft article, but documents that are moved are still retaining the original folders permissions.  That wouldn't require a reboot, would it?


Assisted Solution

mark1208 earned 1000 total points
ID: 29956856
Hi Links,

I just tested this on an XP SP3 client, and the registry setting took effect immediately without reboot. Maybe take a second look and make sure that the MoveSecurityAttributes key was added as a DWORD value to the correct location (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer)? Screenshot attached.

Also, make sure that the registry change is being done at the client-level and not on the server. You might also test with a local set of folders, just to make sure that everything is working as advertised. Again, the change was instantaneous for me both locally as well as when moving files remotely via UNC or mapped network drive.

Hang in there!


Author Comment

ID: 29959789
Ah, that's what I missed; I did it on the server, not the clients.  I will try again from the client side and see how it goes.  Thanks!

Expert Comment

ID: 30281155
Hi Links, just following up on this issue. Did apply the registry change at the client level produce the intended results? Did any of the other proposed workarounds resolve your problem?


Author Comment

ID: 30521668
Hey guys, sorry to be so late responding, but yes, this did work for us.  Once we got that entered on all the client machines everything worked perfectly.  Thank you both for the help!

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
In the video, one can understand the process of resizing images in single or bulk. Kernel Bulk Image Resizer is an easy to use tool for resizing large number of images. One can add and resize multiple images with this tool in single go. The video sh…
Did you know PowerShell can save you time with SaaS platforms? Simply leverage RESTfulAPIs to build your own PowerShell modules. These will kill repetitive tickets and tabs, using the command Invoke-RestMethod. Tune into this webinar to learn how…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question